[Client Impact]
Securing Kenya’s Communications Regulator
[Client Impact]
Securing Kenya’s Communications Regulator
Overview
The Communications Authority of Kenya operates the National Kenya Computer Incident Response Team Coordination Centre (National KE-CIRT/CC), the country's national mechanism for managing cybersecurity threats to Kenya's communications infrastructure. An institution responsible for national cybersecurity coordination cannot credibly perform that function without a certified information security framework protecting its own systems and data. ACAL was engaged to build and certify that framework.
5 CA locations secured under a certified ISMS, covering HQ and all 4 regional offices
SO/IEC 27001:2013 certification achieved through Kenya Bureau of Standards (KEBS), the first national communications regulator in Kenya to hold this certification
National KE-CIRT/CC cybersecurity mandate directly reinforced by the ISMS framework
-year client relationship across two distinct phases, reflecting sustained institutional confidence in ACAL's information security practice
Client Context
The Communications Authority of Kenya is the statutory body responsible for regulating Kenya's telecommunications, broadcasting, postal and courier services, and cybersecurity infrastructure. Established under the Kenya Information and Communications Act, the Authority manages spectrum allocation, issues operator licences, enforces compliance across the communications sector, and coordinates the national response to cybersecurity incidents through the KE-CIRT/CC.
The sensitivity of the information CA manages, from spectrum assignment decisions to threat intelligence gathered through KE-CIRT/CC, makes information security a governance requirement, not a technical preference. A regulator that cannot demonstrate its own information security management meets an internationally recognised standard invites questions about the integrity of both its data and the regulatory decisions it supports.
When ACAL was first engaged in 2013, the institution was operating as the Communications Commission of Kenya. The work ACAL delivered was carried through the institution's rebranding as the Communications Authority of Kenya, and the relationship continued into 2020 when the Authority returned to ACAL to extend the ISMS framework to its regional network.
The Challenge
Phase 1 required moving the Communications Commission from its existing information security baseline through a systematic implementation programme that met the full requirements of ISO/IEC 27001:2013 and would satisfy an external certification audit by KEBS. This meant building the ISMS from foundational policy and scope definition through risk assessment, documentation, internal auditor training, and pre-certification audit to final certification, all within a 25-month timeline.
The institutional context added complexity. The Communications Commission housed sensitive regulatory data, commercial confidential information submitted by licensed operators, and early-stage cybersecurity intelligence gathered through what would become the KE-CIRT/CC. Information security failures in any of those categories carried regulatory, legal, and reputational consequences that the Commission could not afford.
Phase 2 presented a different challenge. An ISMS that had been built and certified at headquarters, but not extended to regional offices, left material gaps in the institution's security posture. The four regional offices operated with distinct processes, staff profiles, and documentation states that required individual gap analysis rather than a uniform rollout of HQ templates.
Our Approach
ACAL structured Phase 1 across 12 defined activities, jointly delivered with the Communications Authority's team to build institutional ownership of the ISMS rather than dependence on an external consultant.
Scope and policy definition, gap analysis, and awareness training for top management, ISMS implementation team, and general staff
System documentation and risk assessment with the full Risk Assessment Report, Risk Treatment Plans, and Statement of Applicability completed jointly with CA
Internal auditors trained and deployed, pre-certification audit conducted, and corrective actions closed before KEBS certification
Certification achieved to ISO/IEC 27001:2013 by Kenya Bureau of Standards
Phase 2 extended the framework to four regional offices through a status audit of existing HQ documentation, gap analysis at each regional location, development of new ISMS procedure manuals, and a Management Review Model that gave the Authority a governance structure for information security across its full national footprint.
Solution Deliverd
ACAL delivered the complete ISMS implementation programme for the Communications Authority, culminating in ISO/IEC 27001:2013 certification by KEBS. The Authority received a fully documented, certified information security management system with trained internal auditors capable of sustaining the framework without ongoing consultant dependency.
The client's own ISMS project lead described the engagement: "Achieving ISO 27001 certification and giving our stakeholders confidence that we will protect them against Information Security risks was of critical importance to us and the Communications sector in Kenya, and the region. The ISO 27001 certification complements the operations of the Authority's National KE-CIRT/CC in Cybersecurity management."
In 2020, ACAL returned to extend the certified framework to the Authority's four regional offices, producing new ISMS documentation for all regional locations, updating HQ documentation to address gaps identified in the status audit, and completing the control tools required for consistent information security governance across all five sites.
Director-General Francis W. Wangusi, MBS, wrote on behalf of the Authority: "We wish to confirm that ACAL Consulting has carried out the consultancy services for implementation and certification on Information Security Management Systems based on ISO/IEC 27001:2013. This letter is to express our satisfaction with the services provided by ACAL Consulting leading to certification on ISO 27001 by Kenya Bureau of Standards."
5
CA Locations with Certified ISMS
5
CA Locations with Certified ISMS
12
ISMS Implementation Activities
12
ISMS Implementation Activities
100%
Regional Network Integrated
100%
Regional Network Integrated
7 yrs
Client Relationship
7 yrs
Client Relationship
Impact
The Communications Authority now operates a certified Information Security Management System across its headquarters and all four regional offices. That certification directly supports the Authority's credibility in its cybersecurity coordination role: a regulator that enforces information security standards across Kenya's communications sector is far stronger when it can demonstrate that its own house meets the same standard.
The KE-CIRT/CC, which coordinates Kenya's national response to cybersecurity threats, depends on the integrity of the information it holds and the confidence of the institutions that share threat intelligence with it. An ISO 27001-certified information security environment is the foundation on which that confidence is built.
ACAL's sustained engagement across two phases and seven years reflects the nature of information security governance: it is not a one-time project. Systems evolve, threats change, and institutional footprints expand. CA's decision to return to ACAL in 2020 to extend the ISMS to its regional network is evidence that the framework ACAL built in Phase 1 held up across the years between engagements.
Key Takeaways
A regulator's information security credibility is inseparable from its regulatory authority
The Communications Authority regulates how licensed operators manage information security across Kenya's communications sector. Its authority to do so is strengthened when it can demonstrate that its own systems are secured to the same international standard it requires of the sector. ISO 27001 certification is not merely a compliance achievement for CA. It is a prerequisite for the legitimacy of its regulatory posture.
National cybersecurity infrastructure requires certified institutional security at its centre
The KE-CIRT/CC is Kenya's first line of coordination in a national cybersecurity incident. The intelligence it holds and the relationships it maintains with government agencies, operators, and international cybersecurity bodies depend on trust that the Authority's own information security is robust. ACAL's ISMS implementation gave that trust an internationally recognised, independently verified foundation.
ISMS extension to regional offices is not a duplication of HQ work
The four regional offices of the Communications Authority operate with distinct asset inventories, process owners, staff capacities, and risk profiles. Extending the ISMS from HQ to the regions required individual gap analysis, site-specific documentation, and targeted capacity building at each location. A framework copied from headquarters without adaptation creates paper compliance, not actual information security. ACAL's Phase 2 engagement treated each regional office as a distinct implementation context.
Sector: Information Security, Governance, ISO Certification | Client: Communications Authority of Kenya | Geography: Nairobi, Kenya (HQ and 4 Regional Offices) | ACAL Role: Lead Consultant, ISMS Implementation | Phase 1 Value: USD 109,987 (KES 9,019,000) | Contract Reference: CCK/la/071/37/2013 | Certification: ISO/IEC 27001:2013 by KEBS | Client Contact: Mr. Michael Katundu, Director of Information Technology
How We Helped Clients Grow Smarter
How We Helped Clients Grow Smarter
How We Helped Clients Grow Smarter
Securing Kenya’s Communications Regulator
Establishing and certifying the information security framework underpinning Kenya’s national communications regulator and cybersecurity mandate.
Independent Oversight on 35 km of PPP Roads
ACAL serves as Independent Engineer for 35.1 km of PPP roads in Western Kenya, overseeing KES 3.5 billion in performance-based payments across four counties.
Laying the Groundwork for Road Upgrades in Kitui County
Producing the economic, engineering, and environmental case for upgrading the roads of a dryland county capital at the centre of Kenya's honey and produce supply chains.
Building the Investment Case for Machakos Town Roads
Delivering the full investment case for Machakos town roads: economic analysis, preliminary designs, and an environmental approvals framework for a network serving over 130,000 residents.
Designing the Water Infrastructure for Meru Town
Designing the full water supply upgrade for Meru's utility, covering intake, treatment, and a 10 km distribution network to serve 150,000 urban residents.
Irrigation Infrastructure at the Nguruman Escarpment
Designing the irrigation infrastructure to open the Rift Valley lowlands to year-round agriculture, giving Maasai communities in Kajiado County a permanent agricultural base.
Securing Kenya’s Communications Regulator
Establishing and certifying the information security framework underpinning Kenya’s national communications regulator and cybersecurity mandate.
Independent Oversight on 35 km of PPP Roads
ACAL serves as Independent Engineer for 35.1 km of PPP roads in Western Kenya, overseeing KES 3.5 billion in performance-based payments across four counties.
Laying the Groundwork for Road Upgrades in Kitui County
Producing the economic, engineering, and environmental case for upgrading the roads of a dryland county capital at the centre of Kenya's honey and produce supply chains.
Building the Investment Case for Machakos Town Roads
Delivering the full investment case for Machakos town roads: economic analysis, preliminary designs, and an environmental approvals framework for a network serving over 130,000 residents.
Designing the Water Infrastructure for Meru Town
Designing the full water supply upgrade for Meru's utility, covering intake, treatment, and a 10 km distribution network to serve 150,000 urban residents.
Irrigation Infrastructure at the Nguruman Escarpment
Designing the irrigation infrastructure to open the Rift Valley lowlands to year-round agriculture, giving Maasai communities in Kajiado County a permanent agricultural base.
Securing Kenya’s Communications Regulator
Establishing and certifying the information security framework underpinning Kenya’s national communications regulator and cybersecurity mandate.
Independent Oversight on 35 km of PPP Roads
ACAL serves as Independent Engineer for 35.1 km of PPP roads in Western Kenya, overseeing KES 3.5 billion in performance-based payments across four counties.
Laying the Groundwork for Road Upgrades in Kitui County
Producing the economic, engineering, and environmental case for upgrading the roads of a dryland county capital at the centre of Kenya's honey and produce supply chains.
Building the Investment Case for Machakos Town Roads
Delivering the full investment case for Machakos town roads: economic analysis, preliminary designs, and an environmental approvals framework for a network serving over 130,000 residents.
Designing the Water Infrastructure for Meru Town
Designing the full water supply upgrade for Meru's utility, covering intake, treatment, and a 10 km distribution network to serve 150,000 urban residents.
Irrigation Infrastructure at the Nguruman Escarpment
Designing the irrigation infrastructure to open the Rift Valley lowlands to year-round agriculture, giving Maasai communities in Kajiado County a permanent agricultural base.
Securing Kenya’s Communications Regulator
Establishing and certifying the information security framework underpinning Kenya’s national communications regulator and cybersecurity mandate.
Independent Oversight on 35 km of PPP Roads
ACAL serves as Independent Engineer for 35.1 km of PPP roads in Western Kenya, overseeing KES 3.5 billion in performance-based payments across four counties.
Laying the Groundwork for Road Upgrades in Kitui County
Producing the economic, engineering, and environmental case for upgrading the roads of a dryland county capital at the centre of Kenya's honey and produce supply chains.
Building the Investment Case for Machakos Town Roads
Delivering the full investment case for Machakos town roads: economic analysis, preliminary designs, and an environmental approvals framework for a network serving over 130,000 residents.
Designing the Water Infrastructure for Meru Town
Designing the full water supply upgrade for Meru's utility, covering intake, treatment, and a 10 km distribution network to serve 150,000 urban residents.
Irrigation Infrastructure at the Nguruman Escarpment
Designing the irrigation infrastructure to open the Rift Valley lowlands to year-round agriculture, giving Maasai communities in Kajiado County a permanent agricultural base.
Securing Kenya’s Communications Regulator
Establishing and certifying the information security framework underpinning Kenya’s national communications regulator and cybersecurity mandate.
Independent Oversight on 35 km of PPP Roads
ACAL serves as Independent Engineer for 35.1 km of PPP roads in Western Kenya, overseeing KES 3.5 billion in performance-based payments across four counties.
Laying the Groundwork for Road Upgrades in Kitui County
Producing the economic, engineering, and environmental case for upgrading the roads of a dryland county capital at the centre of Kenya's honey and produce supply chains.
Building the Investment Case for Machakos Town Roads
Delivering the full investment case for Machakos town roads: economic analysis, preliminary designs, and an environmental approvals framework for a network serving over 130,000 residents.
Designing the Water Infrastructure for Meru Town
Designing the full water supply upgrade for Meru's utility, covering intake, treatment, and a 10 km distribution network to serve 150,000 urban residents.
Irrigation Infrastructure at the Nguruman Escarpment
Designing the irrigation infrastructure to open the Rift Valley lowlands to year-round agriculture, giving Maasai communities in Kajiado County a permanent agricultural base.
Securing Kenya’s Communications Regulator
Establishing and certifying the information security framework underpinning Kenya’s national communications regulator and cybersecurity mandate.
Independent Oversight on 35 km of PPP Roads
ACAL serves as Independent Engineer for 35.1 km of PPP roads in Western Kenya, overseeing KES 3.5 billion in performance-based payments across four counties.
Laying the Groundwork for Road Upgrades in Kitui County
Producing the economic, engineering, and environmental case for upgrading the roads of a dryland county capital at the centre of Kenya's honey and produce supply chains.
Building the Investment Case for Machakos Town Roads
Delivering the full investment case for Machakos town roads: economic analysis, preliminary designs, and an environmental approvals framework for a network serving over 130,000 residents.
Designing the Water Infrastructure for Meru Town
Designing the full water supply upgrade for Meru's utility, covering intake, treatment, and a 10 km distribution network to serve 150,000 urban residents.
Irrigation Infrastructure at the Nguruman Escarpment
Designing the irrigation infrastructure to open the Rift Valley lowlands to year-round agriculture, giving Maasai communities in Kajiado County a permanent agricultural base.
Securing Kenya’s Communications Regulator
Establishing and certifying the information security framework underpinning Kenya’s national communications regulator and cybersecurity mandate.
Independent Oversight on 35 km of PPP Roads
ACAL serves as Independent Engineer for 35.1 km of PPP roads in Western Kenya, overseeing KES 3.5 billion in performance-based payments across four counties.
Laying the Groundwork for Road Upgrades in Kitui County
Producing the economic, engineering, and environmental case for upgrading the roads of a dryland county capital at the centre of Kenya's honey and produce supply chains.
Building the Investment Case for Machakos Town Roads
Delivering the full investment case for Machakos town roads: economic analysis, preliminary designs, and an environmental approvals framework for a network serving over 130,000 residents.
Designing the Water Infrastructure for Meru Town
Designing the full water supply upgrade for Meru's utility, covering intake, treatment, and a 10 km distribution network to serve 150,000 urban residents.
Irrigation Infrastructure at the Nguruman Escarpment
Designing the irrigation infrastructure to open the Rift Valley lowlands to year-round agriculture, giving Maasai communities in Kajiado County a permanent agricultural base.
Securing Kenya’s Communications Regulator
Establishing and certifying the information security framework underpinning Kenya’s national communications regulator and cybersecurity mandate.
Independent Oversight on 35 km of PPP Roads
ACAL serves as Independent Engineer for 35.1 km of PPP roads in Western Kenya, overseeing KES 3.5 billion in performance-based payments across four counties.
Laying the Groundwork for Road Upgrades in Kitui County
Producing the economic, engineering, and environmental case for upgrading the roads of a dryland county capital at the centre of Kenya's honey and produce supply chains.
Building the Investment Case for Machakos Town Roads
Delivering the full investment case for Machakos town roads: economic analysis, preliminary designs, and an environmental approvals framework for a network serving over 130,000 residents.
Designing the Water Infrastructure for Meru Town
Designing the full water supply upgrade for Meru's utility, covering intake, treatment, and a 10 km distribution network to serve 150,000 urban residents.
Irrigation Infrastructure at the Nguruman Escarpment
Designing the irrigation infrastructure to open the Rift Valley lowlands to year-round agriculture, giving Maasai communities in Kajiado County a permanent agricultural base.
Securing Kenya’s Communications Regulator
Establishing and certifying the information security framework underpinning Kenya’s national communications regulator and cybersecurity mandate.
Independent Oversight on 35 km of PPP Roads
ACAL serves as Independent Engineer for 35.1 km of PPP roads in Western Kenya, overseeing KES 3.5 billion in performance-based payments across four counties.
Laying the Groundwork for Road Upgrades in Kitui County
Producing the economic, engineering, and environmental case for upgrading the roads of a dryland county capital at the centre of Kenya's honey and produce supply chains.
Building the Investment Case for Machakos Town Roads
Delivering the full investment case for Machakos town roads: economic analysis, preliminary designs, and an environmental approvals framework for a network serving over 130,000 residents.
Designing the Water Infrastructure for Meru Town
Designing the full water supply upgrade for Meru's utility, covering intake, treatment, and a 10 km distribution network to serve 150,000 urban residents.
Irrigation Infrastructure at the Nguruman Escarpment
Designing the irrigation infrastructure to open the Rift Valley lowlands to year-round agriculture, giving Maasai communities in Kajiado County a permanent agricultural base.
Securing Kenya’s Communications Regulator
Establishing and certifying the information security framework underpinning Kenya’s national communications regulator and cybersecurity mandate.
Independent Oversight on 35 km of PPP Roads
ACAL serves as Independent Engineer for 35.1 km of PPP roads in Western Kenya, overseeing KES 3.5 billion in performance-based payments across four counties.
Laying the Groundwork for Road Upgrades in Kitui County
Producing the economic, engineering, and environmental case for upgrading the roads of a dryland county capital at the centre of Kenya's honey and produce supply chains.
Building the Investment Case for Machakos Town Roads
Delivering the full investment case for Machakos town roads: economic analysis, preliminary designs, and an environmental approvals framework for a network serving over 130,000 residents.
Designing the Water Infrastructure for Meru Town
Designing the full water supply upgrade for Meru's utility, covering intake, treatment, and a 10 km distribution network to serve 150,000 urban residents.
Irrigation Infrastructure at the Nguruman Escarpment
Designing the irrigation infrastructure to open the Rift Valley lowlands to year-round agriculture, giving Maasai communities in Kajiado County a permanent agricultural base.
Securing Kenya’s Communications Regulator
Establishing and certifying the information security framework underpinning Kenya’s national communications regulator and cybersecurity mandate.
Independent Oversight on 35 km of PPP Roads
ACAL serves as Independent Engineer for 35.1 km of PPP roads in Western Kenya, overseeing KES 3.5 billion in performance-based payments across four counties.
Laying the Groundwork for Road Upgrades in Kitui County
Producing the economic, engineering, and environmental case for upgrading the roads of a dryland county capital at the centre of Kenya's honey and produce supply chains.
Building the Investment Case for Machakos Town Roads
Delivering the full investment case for Machakos town roads: economic analysis, preliminary designs, and an environmental approvals framework for a network serving over 130,000 residents.
Designing the Water Infrastructure for Meru Town
Designing the full water supply upgrade for Meru's utility, covering intake, treatment, and a 10 km distribution network to serve 150,000 urban residents.
Irrigation Infrastructure at the Nguruman Escarpment
Designing the irrigation infrastructure to open the Rift Valley lowlands to year-round agriculture, giving Maasai communities in Kajiado County a permanent agricultural base.
Securing Kenya’s Communications Regulator
Establishing and certifying the information security framework underpinning Kenya’s national communications regulator and cybersecurity mandate.
Independent Oversight on 35 km of PPP Roads
ACAL serves as Independent Engineer for 35.1 km of PPP roads in Western Kenya, overseeing KES 3.5 billion in performance-based payments across four counties.
Laying the Groundwork for Road Upgrades in Kitui County
Producing the economic, engineering, and environmental case for upgrading the roads of a dryland county capital at the centre of Kenya's honey and produce supply chains.
Building the Investment Case for Machakos Town Roads
Delivering the full investment case for Machakos town roads: economic analysis, preliminary designs, and an environmental approvals framework for a network serving over 130,000 residents.
Designing the Water Infrastructure for Meru Town
Designing the full water supply upgrade for Meru's utility, covering intake, treatment, and a 10 km distribution network to serve 150,000 urban residents.
Irrigation Infrastructure at the Nguruman Escarpment
Designing the irrigation infrastructure to open the Rift Valley lowlands to year-round agriculture, giving Maasai communities in Kajiado County a permanent agricultural base.
Change the Game
Work with Experts to Change the Game
Work with Experts to Change the Game
40+ major programmes delivered
100% project completion rate
GCF accredited · One of 54 worldwide
